🧿Enumeration

Initial external enumeration steps.

Initial Scan

Start with an nmap script across all ports. This helps identify what would be useful to tackle next.

sudo nmap -Pn -sV -sC -p- TARGET -oN nmap_TARGET_sC_sV_allports.nmap

For any service, try searching the relevant services in the script database for nmap using the aliased command (see Resources page).

nmapsearch SEARCHTERM

If a hostname is available, add that to the /etc/hosts file. In the event that the target is also a domain controller, add the domain in the hosts entry.

Ping

Assuming ICMP traffic isn't blocked, pinging the host can be used to infer OS.

If the TTL is... in the 60s -> Linux, in the 120s -> Windows, in the 200s -> possibly networking equipment.

FTP/21

Anonymous FTP Access

Try the following combinations: anonymous/anonymous, anonymous/BLANK, ftp/ftp

SSH/22

SSH is a protocol offering encrypted remote terminal access to a host.

If an authorized_keys file is obtained and it has a dss key at the top, look at this technique.

SMTP/25/POP3/110

Look around at what you can find

Telnet in, poke around to see if you can see a list of users and change their passwords
Try to login to their email via POP3
Example: look at SolidState walkthrough/notes

Use swaks to interact and script SMTP

Usage:

swaks --from FROM-EMAIL --to TARGET-EMAIL --header HEADER --body CONTENT --server EMAIL-SERVER

Example: Look at SneakyMailer write-up

DNS/53

Start with an nmap scan:

nmap -Pn -p 53 --script dns* TARGET -oN nmap_TARGET_dns_enum.nmap

Nslooklup:

nslookup

Changes default server to IPADDR: server IPADDR
- Only necessary when using a specific server (i.e. target host is running DNS)
IP address to lookup: IPADDR

DNSRecon:

dnsrecon -r IPRANGE -n TARGET

Reverse DNS Lookup
Example: dnsrecon -r 10.10.10.10/24 -n 10.129.104.91

Zone Transfer:

dig axfr DOMAIN @IP > dig_DOMAIN.txt

Try to see if there is a TLS certificate domain name to try
This can be useful for finding A records
Add these to hosts file!
Quickly pull the domains:

cat dig* | grep -v ";" | grep "A" | cut -f 1 | cut -d " " -f 1 | uniq

Visit all of these sites!

TFTP/69

TFTP, of the Trivial File Transfer Protocol, runs on UDP. It basically can only upload/download files.

Using a Python terminal, a client can be created to pull down files. This seems to only accept 8.3 directory notation, which can be found using dir /x.

>>>import tftpy
>>>client = tftpy.TftpClient("IPADDR",PORT)
>>>client.download(REMOTEFILEPATH, LOCALFILENAME, timeout=15)

Reference: https://book.hacktricks.xyz/network-services-pentesting/69-udp-tftp

Finger/79

Interact with finger service: finger @IPADDR

If you have a user: finger USER@IPADDR

Enumerate with finger-user-enum: ./finger-user-enum.pl -U /usr/share/seclists/Usernames/Names/names.txt -t IPADD

Source: https://pentestmonkey.net/tools/user-enumeration/finger-user-enum

HTTP/80/HTTPS/443

Start with nmap scan:

sudo nmap -Pn -sV --script http-enum,http-title,http-methods,http-robots.txt,http-backup-finder,http-config-backup,http-generator,http-git,http-userdir-enum,http-comments-displayer -p HTTPPORTS TARGET -oN nmap_TARGET_http_enum.nmap

If site is HTTPs, check the certificate and make sure the domains are added to hosts file.

Directory Bruteforcing

Gobuster everything:

gobuster dir -k -u http://IPADDR -w /usr/share/wordlists/dirb/common.txt -t 20 -x .txt,.php,.cgi,.sh,.html,.asp,.aspx | tee gobuster_TARGET.gobuster

Additionally run Gobuster for all subdirectories identified that aren't visitable.
If needed, use a stronger wordlist: /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt
Also consider some SecList wordlists
- /usr/share/seclists/Discovery/Web-Content/raft-small-words.txt
If using a specific application, search for relevant wordlists: find /usr/share/SecLists/ | grep APPLICATION

If stuck with Gobuster, consider switching to Dirb as there is not 100% overlap.

Watch out for configuration/test files, such as phpinfo()

ALWAYS search 'password' on any configs or test files

Subdomain Fuzzing

Wfuzz for subdomain bruteforcing:

wfuzz -u http://IPADDR -H "Host: FUZZ.WEBSERVER_URI_ROOT" -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt --hw 26 | tee subdomains_TARGET.wfuzz

Additional Attacks

Web exploitation is a vast area, so more techniques can be found in the Web Exploitation page: https://notes.notmalicio.us/web-exploitation

Kerberos/88

Check that localhost time is within one minute of listed scan time

SMB/139/445

SMB Enumeration

Identify dialect and modify /etc/samba.conf min client protocol accordingly:

sudo nmap -Pn -p445 --script smb-protocols TARGET -oN nmap_TARGET_smb_protocols.nmap

Follow up with another nmap scan:

nmap -Pn -sV --script=smb-ls,smb-mbenum,smb-enum-shares,smb-enum-users,smb-os-discovery,smb-security-mode,smb-system-info -p 139,445 TARGET -oN nmap_TARGET_smb_enum.nmap

Start with enum4linux:

enum4linux IPADDR | tee e4l_TARGET.enum4linux

Find null sessions:

smbclient -N -L ////IPADDR

Enumerate with smbmap:

smbmap -H IPADDR

Brute force logins with a userlist and a password list:

hydra -L USERLIST -P PASSWORDLIST IPADDR smb

Interact with SMB

Interact with SMBClient:

smbclient ////IPADDR//SHARE

Using smbmap to recurse through a share:

smbmap -R SHARENAME -H IPADDR --depth 20 | tee smbmap_TARGET_SHARE.smb

Note: Check for Groups.XML on older Windows (i.e. pre-2012) hosts --> Attacking Groups.XML

Using smbmap to download a file:

smbmap -R SHARENAME -H IPADDR --depth 20 -A FILENAME -q

-q is for quiet to make it clog the terminal less
To find the file: locate FILENAME

Using smbmap with credentials:

smbmap -u USERNAME -p PASSWORD -H IPADDR

Add a domain with -d DOMAIN
If you have admin, you can also use -x COMMAND to execute commands

Use crackmapexec to further enumerate and interact with SMB:

crackmapexec smb IPADDR -u USERNAME -p PASSWORD

-u can take in a list or a single username
Add --share to enumerate shares
Add --continue-on-success to enumerate all accounts that may be valid
May be worth trying -u whatever and -p ""

The file explorer can be used to browse shares easily by typing smb://IPADDR/SHARENAME in the address bar

rpcclient can be used with credentials to extract additional information from SMB

rpcclient -U USERNAME%PASSWORD IPADDR

Below is a table with useful commands for rpcclient

Command

Goal

querydispinfo

Queries display info, can return users and accounts

enumprinters

Enumerates printers

Mount a share:

Create directory: mkdir smb
Mount the share on the directory: sudo mount -t cifs //TARGET/SHARE ./smb/

Change Password with SMB

Change the password of an SMB account:

sudo smbpasswd -r IPADDR USERNAME

Alternative for changing password with Impacket:

./changepassword.py DOMAIN/USERNAME:"PASSWORD"@TARGET -newpass "NEWPASSWORD"

SNMP/161

Use snmpwalk to pull information about host

snmpwalk -v2c -c public IPADDR . | tee snmp_TARGET.snmpwalk

Where -c public is the default community
A script to parse the very dense output of snmpwalk:

# SNMPwalk Parser
# Because i ain't reading all of that

import sys
import os
import re

def netstat_portion(snmpwalk_lines):
    netstat_info = []

    for l in snmpwalk_lines:
        if re.search('udpLocalPort',l) or re.search('\:\:tcpConnState',l):
            netstat_l = f"{'udp' if re.search('udpLocal',l) else 'tcp'}\t\t"

            sl = l.split('.')
            l_ip = f"{sl[1]}.{sl[2]}.{sl[3]}.{sl[4]}"
            if len(l_ip) > 8:
                l_ip += "\t\t"
            else:
                l_ip += "\t\t\t"
            l_port = (sl[5]).split()[0]
            
            netstat_l += f"{l_ip}{l_port}"
            netstat_info.append(netstat_l)

    print("================= Networking =================")
    print("protocol\tlocal ip\t\tlocal port")

    for l in netstat_info:
        print(l)

def process_portion(snmpwalk_lines):
    process_lines = {}
    process_info = []

    for l in snmpwalk_lines:
        if re.search('hrSWRunName',l):
            pid = l.split(".")[1].split()[0]
            process = l.split('"')[1].split()[0]
            
            process_lines[str(pid)] = {}
            process_lines[str(pid)]["process"] = process

        if re.search('hrSWRunParameters',l):
            pid = l.split('.')[1].split()[0]
            args = ""
            if len(l.split("STRING: ")) > 1:
                args += l.split('"')[1]

            process_lines[str(pid)]["args"] = args


    for pl in process_lines.keys():
        process_info.append(f"{pl}\t\t{process_lines[pl]['process']} {process_lines[pl]['args']}")

    print("================= Processes =================")
    print("pid\t\tprocess\t\targs")

    for l in process_info:
        print(l)

n = len(sys.argv)

if n == 2:
    snmpwalk_content = ""
    with open(sys.argv[1],"r") as snmpout:
        snmpwalk_content = snmpout.read()

    snmpwalk_lines = snmpwalk_content.split('\n')

    netstat_portion(snmpwalk_lines)
    print('\n')
    process_portion(snmpwalk_lines)


else:
    print(f"Usage: {sys.argv[0]} SNMPWALK.out")

Another tool snmp-check can be used to enumerate SNMP

snmp-check TARGET | tee snmp_TARGET.snmpcheck

LDAP/389

LDAP is a service that offers a way to search for information that is in AD.

Use ldapsearch to search for LDAP information

Basic usage:

ldapsearch -H ldap://IPADDR -x | tee ldap_TARGET_basic.ldapsearch

Where -x means simple authentication

Finding naming conventions:

ldapsearch -H ldap://IPADDR -x -s base namingcontexts | tee ldap_TARGET_naming_contexts.ldapsearch

Using the naming conventions to search base:

ldapsearch -H ldap://IPADDR -x -b "DC=DCNAME,DC=DCNAME" | tee ldap_TARGET_basesearch.ldapsearch

Generic querying of LDAP:

ldapsearch -H ldap://IPADDR -x -b "DC=DCNAME,DC=DCNAME" QUERYHERE | tee ldap_TARGET_basesearch_QUERY.ldapsearch

Use the following for the QUERYHERE argument
- Find people: '(objectClass=Person)'
- Find usernames: '(objectClass=Person)' sAMAccountName
  - Convert this list into a user list: cat ldap_TARGET_users.ldapsearch | grep sAMAccountName | awk '{print $2}' > users_list.users

IPSEC/500/4500

Enumerate with ike-scan

Usage:

ike-scan -M IPADDR | tee ike_TARGET.ikescan

Aggressive mode (for pulling hashes):

ike-scan IPADDR | tee ike_TARGET_aggresive.ikescan

Connect to the VPN

Using strongswan

Setup
- Edit the /etc/ipsec.secrets file to add the plaintext VPN PSK
  - Add this line: IPADDR %any : PSK "PASSWORD"
- Edit the /etc/ipsec.conf file to add connection configuration information
  - See the examples in the file to write the configuration
Troubleshooting: https://docs.netgate.com/pfsense/en/latest/troubleshooting/ipsec.html
Start: sudo ippsec start --nofork

IPMI/623

IPMI allows for management and monitoring of computer performance.

Using nmap for version enumeration:

sudo nmap -sU --script ipmi-version -p 623 TARGET -oN nmap_TARGET_sU_ipmi_enum.nmap

MS-SQL/1433

Use nmap to do some initial enum on MS-SQL:

sudo nmap -sV --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes --script-args mssql.instance-port=MSSQLPORTS,mssql.username=sa,mssql.password=,mssql.instance-name=MSSQLSERVER -p MSSQLPORTS TARGET -oN nmap_TARGET_mssql_enum.nmap

Reference: https://book.hacktricks.xyz/network-services-pentesting/pentesting-mssql-microsoft-sql-server
Substitute information (i.e. password) as you find more info

Master.mdf

The master.mdf file offers an opportunity to extract hashes.

Reference: https://xpnsec.tumblr.com/post/145350063196/reading-mdf-hashes-with-powershell
Tool: https://github.com/xpn/Powershell-PostExploitation/tree/master/Invoke-MDFHashes
- Remember to chmod master.mdf to binary!

Credentialed Access

Once credentials are obtained for MS-SQL, a few tools can be used to obtain shell access:

Crackmapexec: crackmapexec mssql IPADDR -d "DOMAIN" -u sa -p "PASSWORD" -x "COMMAND"
- sa is the username in this case
Impacket: impacket-mssqlclient sa@IPADDR
- You may need to enable_xp_cmdshell

Oracle Database/1521

Use Nmap to brute force the SIDs and then use the output to brute force

Brute force SIDS:

nmap --script oracle-sid-brute -p 1521 TARGET -oN nmap_TARGET_oracle_brute_sids.nmap

SID will be used in the rest of the commands to denote the identified SID from this scan
Brute force users:

nmap --script oracle-enum-users --script-args oracle-enum-users.sid=SID -p 1521 TARGET -oN nmap_TARGET_oracle_enum_users.nmap

Brute force:

nmap --script oracle-brute --script-args oracle-brute.sid=SID -p 1521 TARGET -oN nmap_TARGET_oracle_brute.nmap

To change the password list, add the argument brute.credfile
- Possibly this one from SecLists: /usr/share/seclists/Passwords/Default-Credentials/oracle-betterdefaultpasslist.txt
  - Use Sed to conform it into a brute file: sed -i 's/:///g' oracle-betterdefaultpasslist.txt

Connect to Oracle DB

Once valid credentials are obtained, use sqlplus64 to interact with the service
- Usage: sqlplus64 USERNAME/PASS@TARGET/SID
- Higher privs (like sudo for Oracle DB): sqlplus64 USERNAME/PASS@TARGET/SID as sysdba

Extracting information from the DB as a given user

User privileges: select * from user_role_privs;
Session privileges: select * from session_privs;
Reading a file:

declare
  f utl_file.file_type;
  s varchar(200);
begin
  f := utl_file.fopen('PATH', 'FILE', 'R');
  utl_file.get_line(f,s);
  utl_file.fclose(f);
  dbms_output.put_line(s);
end;

If no output, turn on server output: set serveroutput ON

declare
  f utl_file.file_type;
  s varchar(1000) := 'CONTENT';
begin
  f := utl_file.fopen('PATH', 'FILE', 'W');
  utl_file.put_line(f,s);
  utl_file.fclose(f);
end;

NFS/2049

Nmap enumeration of NFS:

sudo nmap -Pn -sV --script nfs-ls,nfs-showmount,nfs-statfs -p NFS_PORTS TARGET -pN nmap_TARGET_nfs_enum.nmap

Show NFS mount:

showmount -e TARGET

To mount the NFS:

mkdir nfs_mnt # "local folder", which can be named anything
sudo mount -t nfs IP:/SHARE nfs_mnt -o nolock
cd nfs_mnt

MySQL/3306

Attempt to connect: mysql -h TARGET -u root

For additional nmap enumeration:

sudo nmap -Pn -sV --script mysql-audit,mysql-databases,mysql-dump-hashes,mysql-empty-password,mysql-enum,mysql-info,mysql-query,mysql-users,mysql-variables,mysql-vuln-cve2012-2122 -p MYSQLPORTS TARGET -oN nmap_TARGET_mysql_enum.nmap

RDP/3389

RDP is the remote desktop protocol, so the best way into this service is with creds.

For additional enumeration:

sudo nmap -Pn -sV --script rdp-enum-encryption,rdp-vuln-ms12-020,rdp-ntlm-info -p RDPPORTS TARGET -oN nmap_TARGET_rdp_enum.nmap

SVN/3690

Subversion is a software versioning system.

To checkout a repository with subversion:

svn checkout svn://TARGET

To see the log after checkout:

svn log

To go to a previous revision, where the desired "step back" is a number X):

svn up -rX

VNC/5800/5801/5900/5901

Refer to https://book.hacktricks.xyz/network-services-pentesting/pentesting-vnc

WinRM/5985/5986

If these ports are open, then Windows Remoting may be enabled. This can offer a foothold if credentials are found. If the `Remote Management Users` group is identified to exist, this protocol may also be enabled.

Use crackmapexec to further enumerate and interact with SMB:

crackmapexec win-rm IPADDR -u USERNAME -p PASSWORD

-u can take in a list or a single username
Add --continue-on-success to enumerate all accounts that may be valid

evil-winrm -u USERNAME -p PASSWORD -i IPADDR

Redis/6379

Redis acts as a key-value store.

Nmap enumeration:

nmap -sV --script=redis-info -p REDISPORT TARGET -o nmap_TARGET_redis.txt

Directly connect via nc: nc -nvv TARGET 6379

Try INFO command first
If you have creds, try AUTH USERNAME PASSWORD

Interact with Redis:

Select database: SELECT 0, SELECT 1
Return keys: KEYS *
Get key ABC: GET ABC

Arbitrary file write:

Identify current directory: CONFIG GET DIR
Set to desired directory: CONFIG SET DIR /desired/path
Set contents (CONTENT) of key (KEYFILE): SET KEYFILE CONTENT
- Switch to redis-cli for this portion
Name file NAME: CONFIG SET DBFILENAME NAME
Save file: SAVE

Refer to https://book.hacktricks.xyz/network-services-pentesting/6379-pentesting-redis

Splunkd/8089

If you have valid credentials, try this guide: https://book.hacktricks.xyz/network-services-pentesting/8089-splunkd
- Tools include: https://github.com/cnotin/SplunkWhisperer2/tree/master/PySplunkWhisperer2

NextWeb Exploitation

Last updated 2 months ago

hashtagInitial Scan

hashtagPing

hashtagFTP/21

hashtagSSH/22

hashtagSMTP/25/POP3/110

hashtagDNS/53

hashtagTFTP/69

hashtagFinger/79

hashtagHTTP/80/HTTPS/443

hashtagDirectory Bruteforcing

hashtagAdditional Attacks

hashtagKerberos/88

hashtagSMB/139/445

hashtagSMB Enumeration

hashtagInteract with SMB

hashtagMount a Share

hashtagChange Password with SMB

hashtagSNMP/161

hashtagLDAP/389

hashtagIPSEC/500/4500

hashtagConnect to the VPN

hashtagIPMI/623

hashtagMS-SQL/1433

hashtagMaster.mdf

hashtagCredentialed Access

hashtagOracle Database/1521

hashtagConnect to Oracle DB

hashtagExtracting information from the DB as a given user

hashtagNFS/2049

hashtagMySQL/3306

hashtagRDP/3389

hashtagSVN/3690

hashtagVNC/5800/5801/5900/5901

hashtagWinRM/5985/5986

hashtagRedis/6379

hashtagSplunkd/8089